From 221bb4d517115f79f7874074128e43004c9083e2 Mon Sep 17 00:00:00 2001
From: Sandwich <sandwich@archworks.co>
Date: Sat, 21 Feb 2026 02:38:58 +0100
Subject: [PATCH] docs(cis): add comment explaining squashfs/snap Ubuntu
 exclusion

---
 roles/cis/tasks/modules.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/cis/tasks/modules.yml b/roles/cis/tasks/modules.yml
index 281fb89..b2801a2 100644
--- a/roles/cis/tasks/modules.yml
+++ b/roles/cis/tasks/modules.yml
@@ -1,6 +1,7 @@
 ---
 - name: Disable Kernel Modules
   vars:
+    # Ubuntu uses squashfs for snap packages — blacklisting it breaks snap entirely
     cis_modules_squashfs: "{{ [] if os in ['ubuntu', 'ubuntu-lts'] else ['squashfs'] }}"
     cis_modules_all: "{{ cis_cfg.modules_blacklist + cis_modules_squashfs }}"
   ansible.builtin.copy: